Managing cyber risk: Why Australian enterprises should adopt New Zealand’s new privacy laws

Australian enterprises and listed companies can benefit strongly from adopting New Zealand’s new privacy laws as a model for how to manage cyber risk. New Zealand’s laws bring information security ethics forward, significantly beyond just focusing on mandatory disclosure.

Private sector organisations with an annual turnover of more than $3 million and Commonwealth public sector agencies in Australia are bound by the mandatory breach notification laws. ASX-listed companies also have other obligations to notify the ASX of anything that could materially affect share price.

Cybersecurity breaches can have widespread implications not only affecting businesses, but also jeopardising essential service provision — as we saw recently when Eastern Health, the operator of four hospitals in Melbourne, was hit by a cyber attack forcing it to postpone elective surgeries.

The new privacy laws in New Zealand now mean that Australian businesses holding personal information about New Zealand residents need to report not only when data is accessed by unauthorised users, but also when that data becomes inaccessible and where the loss of access causes harm.

This is far broader than the Australian rules, which only require a report where Personally Identifiable Information (PII) is accessed by unauthorised users. Section 117 (1) of the New Zealand Privacy Bill defines a privacy breach as either “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or an action that prevents the agency from accessing the information on either a temporary or permanent basis”.

Unlike Australia’s current laws, New Zealand has made non-compliance with its new laws a human rights violation, highlighting that cybersecurity goes beyond simply technology. It can, and does, have significant effects on all aspects of business and can directly affect not only users and customers, but the broader community.

Importantly, information does not need to be stolen to trigger a report — it just needs to be inaccessible. Inaccessible information could include data with an obvious high availability requirement such as patient medical information, or even potentially sales data for a retailer or energy use information at a utility.

CIOs, CISOs and CSOs in Australia are obliged to have processes in place to ensure PII is protected and that, in the event of a breach, procedures for notifying affected parties and the Office of the Australian Information Commissioner (OAIC) are executed within specific timeframes.

But those cyber risk obligations for entities also operating in New Zealand are now only part of the story.

For senior IT leaders, threats such as ransomware and denial of service attacks that can make data inaccessible, or even potentially lost forever, now must be reported to the New Zealand Privacy Commissioner. Even a system outage that limits customers from accessing PII could result in a business being obligated to notify the New Zealand Privacy Commissioner.

With over a quarter of reported cyber attacks resulting in loss of access to data, this change to New Zealand’s legislation means the number of reportable incidents is likely to increase significantly.

The notification regime in Australia does not compel businesses that are subject to the Privacy Act to notify anyone where PII is inaccessible. It does not even require a business to notify anyone if the data is permanently lost. There is some provision for ASX listed companies to provide notifications to the Australian Securities and Investments Commission under ASX Listing Rule 3.1 — which says companies are obligated to disclose any information that a reasonable person would expect to have a material impact on the value of a company. But that is not specifically focused on the impact of cyber incidents and their effect on access to PII or other types of data.

Even if your company doesn’t conduct business with New Zealand, have New Zealand customers, or operate in other overseas jurisdictions, it is wise to ensure your privacy controls and response plans consider the loss of access to PII and not just disclosure to unauthorised persons. Voluntarily adopting the New Zealand laws can help Australian enterprises better mitigate cyber risk and protect reputation.

This isn’t just to meet a regulatory or compliance requirement. It makes good business sense and protects both brand and reputation.